In February, I described
, how to configure the softtoken store of the Solaris Cryptographic Framework as a "software-HSM" for Oracle TDE. In the meantime, the SCA 6000 card was certified
for use with Oracle TDE. There is also a "Whitepaper
" available, describing SCA 6000 setup and configuration for TDE. I was lucky enough to get my hands on one of these cards and test for myself. It works, of course. What makes using the SCA 6000 so attractive is the additional possibilities the card has to offer. You can lock and unlock the keystore to prevent any further wallet and column encryption operations. You can also implement a Two-Person-Rule, using the card's software. This allows to separate access to the master key from "normal" database administration. This is often required in high-security environments.